]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-scope.c
projects / thirdparty / systemd.git / blob
? search:


763789c450f76d308e440e28b7a732c69e176f3a
[thirdparty/systemd.git] / src / resolve / resolved-dns-scope.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2014 Lennart Poettering
6 ***/
7
8 #include <netinet/tcp.h>
9
10 #include "af-list.h"
11 #include "alloc-util.h"
12 #include "dns-domain.h"
13 #include "fd-util.h"
14 #include "hostname-util.h"
15 #include "missing.h"
16 #include "random-util.h"
17 #include "resolved-dnssd.h"
18 #include "resolved-dns-scope.h"
19 #include "resolved-dns-zone.h"
20 #include "resolved-llmnr.h"
21 #include "resolved-mdns.h"
22 #include "socket-util.h"
23 #include "strv.h"
24
25 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
26 #define MULTICAST_RATELIMIT_BURST 1000
27
28 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
29 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
30 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
31
32 int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int family) {
33 DnsScope *s;
34
35 assert(m);
36 assert(ret);
37
38 s = new0(DnsScope, 1);
39 if (!s)
40 return -ENOMEM;
41
42 s->manager = m;
43 s->link = l;
44 s->protocol = protocol;
45 s->family = family;
46 s->resend_timeout = MULTICAST_RESEND_TIMEOUT_MIN_USEC;
47
48 if (protocol == DNS_PROTOCOL_DNS) {
49 /* Copy DNSSEC mode from the link if it is set there,
50 * otherwise take the manager's DNSSEC mode. Note that
51 * we copy this only at scope creation time, and do
52 * not update it from the on, even if the setting
53 * changes. */
54
55 if (l)
56 s->dnssec_mode = link_get_dnssec_mode(l);
57 else
58 s->dnssec_mode = manager_get_dnssec_mode(m);
59 } else
60 s->dnssec_mode = DNSSEC_NO;
61
62 LIST_PREPEND(scopes, m->dns_scopes, s);
63
64 dns_scope_llmnr_membership(s, true);
65 dns_scope_mdns_membership(s, true);
66
67 log_debug("New scope on link %s, protocol %s, family %s", l ? l->name : "*", dns_protocol_to_string(protocol), family == AF_UNSPEC ? "*" : af_to_name(family));
68
69 /* Enforce ratelimiting for the multicast protocols */
70 RATELIMIT_INIT(s->ratelimit, MULTICAST_RATELIMIT_INTERVAL_USEC, MULTICAST_RATELIMIT_BURST);
71
72 *ret = s;
73 return 0;
74 }
75
76 static void dns_scope_abort_transactions(DnsScope *s) {
77 assert(s);
78
79 while (s->transactions) {
80 DnsTransaction *t = s->transactions;
81
82 /* Abort the transaction, but make sure it is not
83 * freed while we still look at it */
84
85 t->block_gc++;
86 if (DNS_TRANSACTION_IS_LIVE(t->state))
87 dns_transaction_complete(t, DNS_TRANSACTION_ABORTED);
88 t->block_gc--;
89
90 dns_transaction_free(t);
91 }
92 }
93
94 DnsScope* dns_scope_free(DnsScope *s) {
95 if (!s)
96 return NULL;
97
98 log_debug("Removing scope on link %s, protocol %s, family %s", s->link ? s->link->name : "*", dns_protocol_to_string(s->protocol), s->family == AF_UNSPEC ? "*" : af_to_name(s->family));
99
100 dns_scope_llmnr_membership(s, false);
101 dns_scope_mdns_membership(s, false);
102 dns_scope_abort_transactions(s);
103
104 while (s->query_candidates)
105 dns_query_candidate_free(s->query_candidates);
106
107 hashmap_free(s->transactions_by_key);
108
109 ordered_hashmap_free_with_destructor(s->conflict_queue, dns_resource_record_unref);
110 sd_event_source_unref(s->conflict_event_source);
111
112 sd_event_source_unref(s->announce_event_source);
113
114 dns_cache_flush(&s->cache);
115 dns_zone_flush(&s->zone);
116
117 LIST_REMOVE(scopes, s->manager->dns_scopes, s);
118 return mfree(s);
119 }
120
121 DnsServer *dns_scope_get_dns_server(DnsScope *s) {
122 assert(s);
123
124 if (s->protocol != DNS_PROTOCOL_DNS)
125 return NULL;
126
127 if (s->link)
128 return link_get_dns_server(s->link);
129 else
130 return manager_get_dns_server(s->manager);
131 }
132
133 unsigned dns_scope_get_n_dns_servers(DnsScope *s) {
134 unsigned n = 0;
135 DnsServer *i;
136
137 assert(s);
138
139 if (s->protocol != DNS_PROTOCOL_DNS)
140 return 0;
141
142 if (s->link)
143 i = s->link->dns_servers;
144 else
145 i = s->manager->dns_servers;
146
147 for (; i; i = i->servers_next)
148 n++;
149
150 return n;
151 }
152
153 void dns_scope_next_dns_server(DnsScope *s) {
154 assert(s);
155
156 if (s->protocol != DNS_PROTOCOL_DNS)
157 return;
158
159 if (s->link)
160 link_next_dns_server(s->link);
161 else
162 manager_next_dns_server(s->manager);
163 }
164
165 void dns_scope_packet_received(DnsScope *s, usec_t rtt) {
166 assert(s);
167
168 if (rtt <= s->max_rtt)
169 return;
170
171 s->max_rtt = rtt;
172 s->resend_timeout = MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC, s->max_rtt * 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC);
173 }
174
175 void dns_scope_packet_lost(DnsScope *s, usec_t usec) {
176 assert(s);
177
178 if (s->resend_timeout <= usec)
179 s->resend_timeout = MIN(s->resend_timeout * 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC);
180 }
181
182 static int dns_scope_emit_one(DnsScope *s, int fd, DnsPacket *p) {
183 union in_addr_union addr;
184 int ifindex = 0, r;
185 int family;
186 uint32_t mtu;
187
188 assert(s);
189 assert(p);
190 assert(p->protocol == s->protocol);
191
192 if (s->link) {
193 mtu = s->link->mtu;
194 ifindex = s->link->ifindex;
195 } else
196 mtu = manager_find_mtu(s->manager);
197
198 switch (s->protocol) {
199
200 case DNS_PROTOCOL_DNS:
201 assert(fd >= 0);
202
203 if (DNS_PACKET_QDCOUNT(p) > 1)
204 return -EOPNOTSUPP;
205
206 if (p->size > DNS_PACKET_UNICAST_SIZE_MAX)
207 return -EMSGSIZE;
208
209 if (p->size + UDP_PACKET_HEADER_SIZE > mtu)
210 return -EMSGSIZE;
211
212 r = manager_write(s->manager, fd, p);
213 if (r < 0)
214 return r;
215
216 break;
217
218 case DNS_PROTOCOL_LLMNR:
219 assert(fd < 0);
220
221 if (DNS_PACKET_QDCOUNT(p) > 1)
222 return -EOPNOTSUPP;
223
224 if (!ratelimit_below(&s->ratelimit))
225 return -EBUSY;
226
227 family = s->family;
228
229 if (family == AF_INET) {
230 addr.in = LLMNR_MULTICAST_IPV4_ADDRESS;
231 fd = manager_llmnr_ipv4_udp_fd(s->manager);
232 } else if (family == AF_INET6) {
233 addr.in6 = LLMNR_MULTICAST_IPV6_ADDRESS;
234 fd = manager_llmnr_ipv6_udp_fd(s->manager);
235 } else
236 return -EAFNOSUPPORT;
237 if (fd < 0)
238 return fd;
239
240 r = manager_send(s->manager, fd, ifindex, family, &addr, LLMNR_PORT, NULL, p);
241 if (r < 0)
242 return r;
243
244 break;
245
246 case DNS_PROTOCOL_MDNS:
247 assert(fd < 0);
248
249 if (!ratelimit_below(&s->ratelimit))
250 return -EBUSY;
251
252 family = s->family;
253
254 if (family == AF_INET) {
255 addr.in = MDNS_MULTICAST_IPV4_ADDRESS;
256 fd = manager_mdns_ipv4_fd(s->manager);
257 } else if (family == AF_INET6) {
258 addr.in6 = MDNS_MULTICAST_IPV6_ADDRESS;
259 fd = manager_mdns_ipv6_fd(s->manager);
260 } else
261 return -EAFNOSUPPORT;
262 if (fd < 0)
263 return fd;
264
265 r = manager_send(s->manager, fd, ifindex, family, &addr, MDNS_PORT, NULL, p);
266 if (r < 0)
267 return r;
268
269 break;
270
271 default:
272 return -EAFNOSUPPORT;
273 }
274
275 return 1;
276 }
277
278 int dns_scope_emit_udp(DnsScope *s, int fd, DnsPacket *p) {
279 int r;
280
281 assert(s);
282 assert(p);
283 assert(p->protocol == s->protocol);
284 assert((s->protocol == DNS_PROTOCOL_DNS) == (fd >= 0));
285
286 do {
287 /* If there are multiple linked packets, set the TC bit in all but the last of them */
288 if (p->more) {
289 assert(p->protocol == DNS_PROTOCOL_MDNS);
290 dns_packet_set_flags(p, true, true);
291 }
292
293 r = dns_scope_emit_one(s, fd, p);
294 if (r < 0)
295 return r;
296
297 p = p->more;
298 } while (p);
299
300 return 0;
301 }
302
303 static int dns_scope_socket(
304 DnsScope *s,
305 int type,
306 int family,
307 const union in_addr_union *address,
308 DnsServer *server,
309 uint16_t port) {
310
311 _cleanup_close_ int fd = -1;
312 union sockaddr_union sa = {};
313 socklen_t salen;
314 static const int one = 1;
315 int r, ifindex;
316
317 assert(s);
318
319 if (server) {
320 assert(family == AF_UNSPEC);
321 assert(!address);
322
323 ifindex = dns_server_ifindex(server);
324
325 sa.sa.sa_family = server->family;
326 if (server->family == AF_INET) {
327 sa.in.sin_port = htobe16(port);
328 sa.in.sin_addr = server->address.in;
329 salen = sizeof(sa.in);
330 } else if (server->family == AF_INET6) {
331 sa.in6.sin6_port = htobe16(port);
332 sa.in6.sin6_addr = server->address.in6;
333 sa.in6.sin6_scope_id = ifindex;
334 salen = sizeof(sa.in6);
335 } else
336 return -EAFNOSUPPORT;
337 } else {
338 assert(family != AF_UNSPEC);
339 assert(address);
340
341 sa.sa.sa_family = family;
342 ifindex = s->link ? s->link->ifindex : 0;
343
344 if (family == AF_INET) {
345 sa.in.sin_port = htobe16(port);
346 sa.in.sin_addr = address->in;
347 salen = sizeof(sa.in);
348 } else if (family == AF_INET6) {
349 sa.in6.sin6_port = htobe16(port);
350 sa.in6.sin6_addr = address->in6;
351 sa.in6.sin6_scope_id = ifindex;
352 salen = sizeof(sa.in6);
353 } else
354 return -EAFNOSUPPORT;
355 }
356
357 fd = socket(sa.sa.sa_family, type|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
358 if (fd < 0)
359 return -errno;
360
361 if (type == SOCK_STREAM) {
362 r = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one));
363 if (r < 0)
364 return -errno;
365 }
366
367 if (s->link) {
368 be32_t ifindex_be = htobe32(ifindex);
369
370 if (sa.sa.sa_family == AF_INET) {
371 r = setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex_be, sizeof(ifindex_be));
372 if (r < 0)
373 return -errno;
374 } else if (sa.sa.sa_family == AF_INET6) {
375 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_IF, &ifindex_be, sizeof(ifindex_be));
376 if (r < 0)
377 return -errno;
378 }
379 }
380
381 if (s->protocol == DNS_PROTOCOL_LLMNR) {
382 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
383
384 if (sa.sa.sa_family == AF_INET) {
385 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &one, sizeof(one));
386 if (r < 0)
387 return -errno;
388 } else if (sa.sa.sa_family == AF_INET6) {
389 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one));
390 if (r < 0)
391 return -errno;
392 }
393 }
394
395 r = connect(fd, &sa.sa, salen);
396 if (r < 0 && errno != EINPROGRESS)
397 return -errno;
398
399 return TAKE_FD(fd);
400 }
401
402 int dns_scope_socket_udp(DnsScope *s, DnsServer *server, uint16_t port) {
403 return dns_scope_socket(s, SOCK_DGRAM, AF_UNSPEC, NULL, server, port);
404 }
405
406 int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *address, DnsServer *server, uint16_t port) {
407 return dns_scope_socket(s, SOCK_STREAM, family, address, server, port);
408 }
409
410 DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain) {
411 DnsSearchDomain *d;
412
413 assert(s);
414 assert(domain);
415
416 /* Checks if the specified domain is something to look up on
417 * this scope. Note that this accepts non-qualified hostnames,
418 * i.e. those without any search path prefixed yet. */
419
420 if (ifindex != 0 && (!s->link || s->link->ifindex != ifindex))
421 return DNS_SCOPE_NO;
422
423 if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, 0) & flags) == 0)
424 return DNS_SCOPE_NO;
425
426 /* Never resolve any loopback hostname or IP address via DNS,
427 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
428 * these. */
429 if (is_localhost(domain) ||
430 dns_name_endswith(domain, "127.in-addr.arpa") > 0 ||
431 dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
432 return DNS_SCOPE_NO;
433
434 /* Never respond to some of the domains listed in RFC6303 */
435 if (dns_name_endswith(domain, "0.in-addr.arpa") > 0 ||
436 dns_name_equal(domain, "255.255.255.255.in-addr.arpa") > 0 ||
437 dns_name_equal(domain, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
438 return DNS_SCOPE_NO;
439
440 /* Never respond to some of the domains listed in RFC6761 */
441 if (dns_name_endswith(domain, "invalid") > 0)
442 return DNS_SCOPE_NO;
443
444 switch (s->protocol) {
445
446 case DNS_PROTOCOL_DNS: {
447 DnsServer *dns_server;
448
449 /* Never route things to scopes that lack DNS servers */
450 dns_server = dns_scope_get_dns_server(s);
451 if (!dns_server)
452 return DNS_SCOPE_NO;
453
454 /* Always honour search domains for routing queries, except if this scope lacks DNS servers. Note that
455 * we return DNS_SCOPE_YES here, rather than just DNS_SCOPE_MAYBE, which means other wildcard scopes
456 * won't be considered anymore. */
457 LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
458 if (dns_name_endswith(domain, d->name) > 0)
459 return DNS_SCOPE_YES;
460
461 /* If the DNS server has route-only domains, don't send other requests to it. This would be a privacy
462 * violation, will most probably fail anyway, and adds unnecessary load. */
463 if (dns_server_limited_domains(dns_server))
464 return DNS_SCOPE_NO;
465
466 /* Exclude link-local IP ranges */
467 if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
468 dns_name_endswith(domain, "8.e.f.ip6.arpa") == 0 &&
469 dns_name_endswith(domain, "9.e.f.ip6.arpa") == 0 &&
470 dns_name_endswith(domain, "a.e.f.ip6.arpa") == 0 &&
471 dns_name_endswith(domain, "b.e.f.ip6.arpa") == 0 &&
472 /* If networks use .local in their private setups, they are supposed to also add .local to their search
473 * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
474 * send such queries ordinary DNS servers. */
475 dns_name_endswith(domain, "local") == 0)
476 return DNS_SCOPE_MAYBE;
477
478 return DNS_SCOPE_NO;
479 }
480
481 case DNS_PROTOCOL_MDNS:
482 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
483 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
484 (dns_name_endswith(domain, "local") > 0 && /* only resolve names ending in .local via mDNS */
485 dns_name_equal(domain, "local") == 0 && /* but not the single-label "local" name itself */
486 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via mDNS */
487 return DNS_SCOPE_MAYBE;
488
489 return DNS_SCOPE_NO;
490
491 case DNS_PROTOCOL_LLMNR:
492 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
493 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
494 (dns_name_is_single_label(domain) && /* only resolve single label names via LLMNR */
495 !is_gateway_hostname(domain) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
496 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via LLMNR */
497 return DNS_SCOPE_MAYBE;
498
499 return DNS_SCOPE_NO;
500
501 default:
502 assert_not_reached("Unknown scope protocol");
503 }
504 }
505
506 bool dns_scope_good_key(DnsScope *s, const DnsResourceKey *key) {
507 int key_family;
508
509 assert(s);
510 assert(key);
511
512 /* Check if it makes sense to resolve the specified key on
513 * this scope. Note that this call assumes as fully qualified
514 * name, i.e. the search suffixes already appended. */
515
516 if (key->class != DNS_CLASS_IN)
517 return false;
518
519 if (s->protocol == DNS_PROTOCOL_DNS) {
520
521 /* On classic DNS, looking up non-address RRs is always
522 * fine. (Specifically, we want to permit looking up
523 * DNSKEY and DS records on the root and top-level
524 * domains.) */
525 if (!dns_resource_key_is_address(key))
526 return true;
527
528 /* However, we refuse to look up A and AAAA RRs on the
529 * root and single-label domains, under the assumption
530 * that those should be resolved via LLMNR or search
531 * path only, and should not be leaked onto the
532 * internet. */
533 return !(dns_name_is_single_label(dns_resource_key_name(key)) ||
534 dns_name_is_root(dns_resource_key_name(key)));
535 }
536
537 /* On mDNS and LLMNR, send A and AAAA queries only on the
538 * respective scopes */
539
540 key_family = dns_type_to_af(key->type);
541 if (key_family < 0)
542 return true;
543
544 return key_family == s->family;
545 }
546
547 static int dns_scope_multicast_membership(DnsScope *s, bool b, struct in_addr in, struct in6_addr in6) {
548 int fd;
549
550 assert(s);
551 assert(s->link);
552
553 if (s->family == AF_INET) {
554 struct ip_mreqn mreqn = {
555 .imr_multiaddr = in,
556 .imr_ifindex = s->link->ifindex,
557 };
558
559 if (s->protocol == DNS_PROTOCOL_LLMNR)
560 fd = manager_llmnr_ipv4_udp_fd(s->manager);
561 else
562 fd = manager_mdns_ipv4_fd(s->manager);
563
564 if (fd < 0)
565 return fd;
566
567 /* Always first try to drop membership before we add
568 * one. This is necessary on some devices, such as
569 * veth. */
570 if (b)
571 (void) setsockopt(fd, IPPROTO_IP, IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn));
572
573 if (setsockopt(fd, IPPROTO_IP, b ? IP_ADD_MEMBERSHIP : IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn)) < 0)
574 return -errno;
575
576 } else if (s->family == AF_INET6) {
577 struct ipv6_mreq mreq = {
578 .ipv6mr_multiaddr = in6,
579 .ipv6mr_interface = s->link->ifindex,
580 };
581
582 if (s->protocol == DNS_PROTOCOL_LLMNR)
583 fd = manager_llmnr_ipv6_udp_fd(s->manager);
584 else
585 fd = manager_mdns_ipv6_fd(s->manager);
586
587 if (fd < 0)
588 return fd;
589
590 if (b)
591 (void) setsockopt(fd, IPPROTO_IPV6, IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq));
592
593 if (setsockopt(fd, IPPROTO_IPV6, b ? IPV6_ADD_MEMBERSHIP : IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq)) < 0)
594 return -errno;
595 } else
596 return -EAFNOSUPPORT;
597
598 return 0;
599 }
600
601 int dns_scope_llmnr_membership(DnsScope *s, bool b) {
602 assert(s);
603
604 if (s->protocol != DNS_PROTOCOL_LLMNR)
605 return 0;
606
607 return dns_scope_multicast_membership(s, b, LLMNR_MULTICAST_IPV4_ADDRESS, LLMNR_MULTICAST_IPV6_ADDRESS);
608 }
609
610 int dns_scope_mdns_membership(DnsScope *s, bool b) {
611 assert(s);
612
613 if (s->protocol != DNS_PROTOCOL_MDNS)
614 return 0;
615
616 return dns_scope_multicast_membership(s, b, MDNS_MULTICAST_IPV4_ADDRESS, MDNS_MULTICAST_IPV6_ADDRESS);
617 }
618
619 int dns_scope_make_reply_packet(
620 DnsScope *s,
621 uint16_t id,
622 int rcode,
623 DnsQuestion *q,
624 DnsAnswer *answer,
625 DnsAnswer *soa,
626 bool tentative,
627 DnsPacket **ret) {
628
629 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
630 int r;
631
632 assert(s);
633 assert(ret);
634
635 if (dns_question_isempty(q) &&
636 dns_answer_isempty(answer) &&
637 dns_answer_isempty(soa))
638 return -EINVAL;
639
640 r = dns_packet_new(&p, s->protocol, 0, DNS_PACKET_SIZE_MAX);
641 if (r < 0)
642 return r;
643
644 DNS_PACKET_HEADER(p)->id = id;
645 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
646 1 /* qr */,
647 0 /* opcode */,
648 0 /* c */,
649 0 /* tc */,
650 tentative,
651 0 /* (ra) */,
652 0 /* (ad) */,
653 0 /* (cd) */,
654 rcode));
655
656 r = dns_packet_append_question(p, q);
657 if (r < 0)
658 return r;
659 DNS_PACKET_HEADER(p)->qdcount = htobe16(dns_question_size(q));
660
661 r = dns_packet_append_answer(p, answer);
662 if (r < 0)
663 return r;
664 DNS_PACKET_HEADER(p)->ancount = htobe16(dns_answer_size(answer));
665
666 r = dns_packet_append_answer(p, soa);
667 if (r < 0)
668 return r;
669 DNS_PACKET_HEADER(p)->arcount = htobe16(dns_answer_size(soa));
670
671 *ret = TAKE_PTR(p);
672
673 return 0;
674 }
675
676 static void dns_scope_verify_conflicts(DnsScope *s, DnsPacket *p) {
677 DnsResourceRecord *rr;
678 DnsResourceKey *key;
679
680 assert(s);
681 assert(p);
682
683 DNS_QUESTION_FOREACH(key, p->question)
684 dns_zone_verify_conflicts(&s->zone, key);
685
686 DNS_ANSWER_FOREACH(rr, p->answer)
687 dns_zone_verify_conflicts(&s->zone, rr->key);
688 }
689
690 void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) {
691 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL, *soa = NULL;
692 _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
693 DnsResourceKey *key = NULL;
694 bool tentative = false;
695 int r;
696
697 assert(s);
698 assert(p);
699
700 if (p->protocol != DNS_PROTOCOL_LLMNR)
701 return;
702
703 if (p->ipproto == IPPROTO_UDP) {
704 /* Don't accept UDP queries directed to anything but
705 * the LLMNR multicast addresses. See RFC 4795,
706 * section 2.5. */
707
708 if (p->family == AF_INET && !in_addr_equal(AF_INET, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV4_ADDRESS))
709 return;
710
711 if (p->family == AF_INET6 && !in_addr_equal(AF_INET6, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV6_ADDRESS))
712 return;
713 }
714
715 r = dns_packet_extract(p);
716 if (r < 0) {
717 log_debug_errno(r, "Failed to extract resource records from incoming packet: %m");
718 return;
719 }
720
721 if (DNS_PACKET_LLMNR_C(p)) {
722 /* Somebody notified us about a possible conflict */
723 dns_scope_verify_conflicts(s, p);
724 return;
725 }
726
727 assert(dns_question_size(p->question) == 1);
728 key = p->question->keys[0];
729
730 r = dns_zone_lookup(&s->zone, key, 0, &answer, &soa, &tentative);
731 if (r < 0) {
732 log_debug_errno(r, "Failed to lookup key: %m");
733 return;
734 }
735 if (r == 0)
736 return;
737
738 if (answer)
739 dns_answer_order_by_scope(answer, in_addr_is_link_local(p->family, &p->sender) > 0);
740
741 r = dns_scope_make_reply_packet(s, DNS_PACKET_ID(p), DNS_RCODE_SUCCESS, p->question, answer, soa, tentative, &reply);
742 if (r < 0) {
743 log_debug_errno(r, "Failed to build reply packet: %m");
744 return;
745 }
746
747 if (stream) {
748 r = dns_stream_write_packet(stream, reply);
749 if (r < 0) {
750 log_debug_errno(r, "Failed to enqueue reply packet: %m");
751 return;
752 }
753
754 /* Let's take an extra reference on this stream, so that it stays around after returning. The reference
755 * will be dangling until the stream is disconnected, and the default completion handler of the stream
756 * will then unref the stream and destroy it */
757 if (DNS_STREAM_QUEUED(stream))
758 dns_stream_ref(stream);
759 } else {
760 int fd;
761
762 if (!ratelimit_below(&s->ratelimit))
763 return;
764
765 if (p->family == AF_INET)
766 fd = manager_llmnr_ipv4_udp_fd(s->manager);
767 else if (p->family == AF_INET6)
768 fd = manager_llmnr_ipv6_udp_fd(s->manager);
769 else {
770 log_debug("Unknown protocol");
771 return;
772 }
773 if (fd < 0) {
774 log_debug_errno(fd, "Failed to get reply socket: %m");
775 return;
776 }
777
778 /* Note that we always immediately reply to all LLMNR
779 * requests, and do not wait any time, since we
780 * verified uniqueness for all records. Also see RFC
781 * 4795, Section 2.7 */
782
783 r = manager_send(s->manager, fd, p->ifindex, p->family, &p->sender, p->sender_port, NULL, reply);
784 if (r < 0) {
785 log_debug_errno(r, "Failed to send reply packet: %m");
786 return;
787 }
788 }
789 }
790
791 DnsTransaction *dns_scope_find_transaction(DnsScope *scope, DnsResourceKey *key, bool cache_ok) {
792 DnsTransaction *t;
793
794 assert(scope);
795 assert(key);
796
797 /* Try to find an ongoing transaction that is a equal to the
798 * specified question */
799 t = hashmap_get(scope->transactions_by_key, key);
800 if (!t)
801 return NULL;
802
803 /* Refuse reusing transactions that completed based on cached
804 * data instead of a real packet, if that's requested. */
805 if (!cache_ok &&
806 IN_SET(t->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_RCODE_FAILURE) &&
807 t->answer_source != DNS_TRANSACTION_NETWORK)
808 return NULL;
809
810 return t;
811 }
812
813 static int dns_scope_make_conflict_packet(
814 DnsScope *s,
815 DnsResourceRecord *rr,
816 DnsPacket **ret) {
817
818 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
819 int r;
820
821 assert(s);
822 assert(rr);
823 assert(ret);
824
825 r = dns_packet_new(&p, s->protocol, 0, DNS_PACKET_SIZE_MAX);
826 if (r < 0)
827 return r;
828
829 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
830 0 /* qr */,
831 0 /* opcode */,
832 1 /* conflict */,
833 0 /* tc */,
834 0 /* t */,
835 0 /* (ra) */,
836 0 /* (ad) */,
837 0 /* (cd) */,
838 0));
839
840 /* For mDNS, the transaction ID should always be 0 */
841 if (s->protocol != DNS_PROTOCOL_MDNS)
842 random_bytes(&DNS_PACKET_HEADER(p)->id, sizeof(uint16_t));
843
844 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
845 DNS_PACKET_HEADER(p)->arcount = htobe16(1);
846
847 r = dns_packet_append_key(p, rr->key, 0, NULL);
848 if (r < 0)
849 return r;
850
851 r = dns_packet_append_rr(p, rr, 0, NULL, NULL);
852 if (r < 0)
853 return r;
854
855 *ret = TAKE_PTR(p);
856
857 return 0;
858 }
859
860 static int on_conflict_dispatch(sd_event_source *es, usec_t usec, void *userdata) {
861 DnsScope *scope = userdata;
862 int r;
863
864 assert(es);
865 assert(scope);
866
867 scope->conflict_event_source = sd_event_source_unref(scope->conflict_event_source);
868
869 for (;;) {
870 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
871 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
872 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
873
874 key = ordered_hashmap_first_key(scope->conflict_queue);
875 if (!key)
876 break;
877
878 rr = ordered_hashmap_remove(scope->conflict_queue, key);
879 assert(rr);
880
881 r = dns_scope_make_conflict_packet(scope, rr, &p);
882 if (r < 0) {
883 log_error_errno(r, "Failed to make conflict packet: %m");
884 return 0;
885 }
886
887 r = dns_scope_emit_udp(scope, -1, p);
888 if (r < 0)
889 log_debug_errno(r, "Failed to send conflict packet: %m");
890 }
891
892 return 0;
893 }
894
895 int dns_scope_notify_conflict(DnsScope *scope, DnsResourceRecord *rr) {
896 usec_t jitter;
897 int r;
898
899 assert(scope);
900 assert(rr);
901
902 /* We don't send these queries immediately. Instead, we queue
903 * them, and send them after some jitter delay. */
904 r = ordered_hashmap_ensure_allocated(&scope->conflict_queue, &dns_resource_key_hash_ops);
905 if (r < 0) {
906 log_oom();
907 return r;
908 }
909
910 /* We only place one RR per key in the conflict
911 * messages, not all of them. That should be enough to
912 * indicate where there might be a conflict */
913 r = ordered_hashmap_put(scope->conflict_queue, rr->key, rr);
914 if (IN_SET(r, 0, -EEXIST))
915 return 0;
916 if (r < 0)
917 return log_debug_errno(r, "Failed to queue conflicting RR: %m");
918
919 dns_resource_key_ref(rr->key);
920 dns_resource_record_ref(rr);
921
922 if (scope->conflict_event_source)
923 return 0;
924
925 random_bytes(&jitter, sizeof(jitter));
926 jitter %= LLMNR_JITTER_INTERVAL_USEC;
927
928 r = sd_event_add_time(scope->manager->event,
929 &scope->conflict_event_source,
930 clock_boottime_or_monotonic(),
931 now(clock_boottime_or_monotonic()) + jitter,
932 LLMNR_JITTER_INTERVAL_USEC,
933 on_conflict_dispatch, scope);
934 if (r < 0)
935 return log_debug_errno(r, "Failed to add conflict dispatch event: %m");
936
937 (void) sd_event_source_set_description(scope->conflict_event_source, "scope-conflict");
938
939 return 0;
940 }
941
942 void dns_scope_check_conflicts(DnsScope *scope, DnsPacket *p) {
943 DnsResourceRecord *rr;
944 int r;
945
946 assert(scope);
947 assert(p);
948
949 if (!IN_SET(p->protocol, DNS_PROTOCOL_LLMNR, DNS_PROTOCOL_MDNS))
950 return;
951
952 if (DNS_PACKET_RRCOUNT(p) <= 0)
953 return;
954
955 if (p->protocol == DNS_PROTOCOL_LLMNR) {
956 if (DNS_PACKET_LLMNR_C(p) != 0)
957 return;
958
959 if (DNS_PACKET_LLMNR_T(p) != 0)
960 return;
961 }
962
963 if (manager_our_packet(scope->manager, p))
964 return;
965
966 r = dns_packet_extract(p);
967 if (r < 0) {
968 log_debug_errno(r, "Failed to extract packet: %m");
969 return;
970 }
971
972 log_debug("Checking for conflicts...");
973
974 DNS_ANSWER_FOREACH(rr, p->answer) {
975 /* No conflict if it is DNS-SD RR used for service enumeration. */
976 if (dns_resource_key_is_dnssd_ptr(rr->key))
977 continue;
978
979 /* Check for conflicts against the local zone. If we
980 * found one, we won't check any further */
981 r = dns_zone_check_conflicts(&scope->zone, rr);
982 if (r != 0)
983 continue;
984
985 /* Check for conflicts against the local cache. If so,
986 * send out an advisory query, to inform everybody */
987 r = dns_cache_check_conflicts(&scope->cache, rr, p->family, &p->sender);
988 if (r <= 0)
989 continue;
990
991 dns_scope_notify_conflict(scope, rr);
992 }
993 }
994
995 void dns_scope_dump(DnsScope *s, FILE *f) {
996 assert(s);
997
998 if (!f)
999 f = stdout;
1000
1001 fputs("[Scope protocol=", f);
1002 fputs(dns_protocol_to_string(s->protocol), f);
1003
1004 if (s->link) {
1005 fputs(" interface=", f);
1006 fputs(s->link->name, f);
1007 }
1008
1009 if (s->family != AF_UNSPEC) {
1010 fputs(" family=", f);
1011 fputs(af_to_name(s->family), f);
1012 }
1013
1014 fputs("]\n", f);
1015
1016 if (!dns_zone_is_empty(&s->zone)) {
1017 fputs("ZONE:\n", f);
1018 dns_zone_dump(&s->zone, f);
1019 }
1020
1021 if (!dns_cache_is_empty(&s->cache)) {
1022 fputs("CACHE:\n", f);
1023 dns_cache_dump(&s->cache, f);
1024 }
1025 }
1026
1027 DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s) {
1028 assert(s);
1029
1030 if (s->protocol != DNS_PROTOCOL_DNS)
1031 return NULL;
1032
1033 if (s->link)
1034 return s->link->search_domains;
1035
1036 return s->manager->search_domains;
1037 }
1038
1039 bool dns_scope_name_needs_search_domain(DnsScope *s, const char *name) {
1040 assert(s);
1041
1042 if (s->protocol != DNS_PROTOCOL_DNS)
1043 return false;
1044
1045 return dns_name_is_single_label(name);
1046 }
1047
1048 bool dns_scope_network_good(DnsScope *s) {
1049 /* Checks whether the network is in good state for lookups on this scope. For mDNS/LLMNR/Classic DNS scopes
1050 * bound to links this is easy, as they don't even exist if the link isn't in a suitable state. For the global
1051 * DNS scope we check whether there are any links that are up and have an address. */
1052
1053 if (s->link)
1054 return true;
1055
1056 return manager_routable(s->manager, AF_UNSPEC);
1057 }
1058
1059 int dns_scope_ifindex(DnsScope *s) {
1060 assert(s);
1061
1062 if (s->link)
1063 return s->link->ifindex;
1064
1065 return 0;
1066 }
1067
1068 static int on_announcement_timeout(sd_event_source *s, usec_t usec, void *userdata) {
1069 DnsScope *scope = userdata;
1070
1071 assert(s);
1072
1073 scope->announce_event_source = sd_event_source_unref(scope->announce_event_source);
1074
1075 (void) dns_scope_announce(scope, false);
1076 return 0;
1077 }
1078
1079 int dns_scope_announce(DnsScope *scope, bool goodbye) {
1080 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
1081 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1082 _cleanup_set_free_ Set *types = NULL;
1083 DnsTransaction *t;
1084 DnsZoneItem *z, *i;
1085 unsigned size = 0;
1086 Iterator iterator;
1087 char *service_type;
1088 int r;
1089
1090 if (!scope)
1091 return 0;
1092
1093 if (scope->protocol != DNS_PROTOCOL_MDNS)
1094 return 0;
1095
1096 /* Check if we're done with probing. */
1097 LIST_FOREACH(transactions_by_scope, t, scope->transactions)
1098 if (DNS_TRANSACTION_IS_LIVE(t->state))
1099 return 0;
1100
1101 /* Check if there're services pending conflict resolution. */
1102 if (manager_next_dnssd_names(scope->manager))
1103 return 0; /* we reach this point only if changing hostname didn't help */
1104
1105 /* Calculate answer's size. */
1106 HASHMAP_FOREACH(z, scope->zone.by_key, iterator) {
1107 if (z->state != DNS_ZONE_ITEM_ESTABLISHED)
1108 continue;
1109
1110 if (z->rr->key->type == DNS_TYPE_PTR &&
1111 !dns_zone_contains_name(&scope->zone, z->rr->ptr.name)) {
1112 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
1113
1114 log_debug("Skip PTR RR <%s> since its counterparts seem to be withdrawn", dns_resource_key_to_string(z->rr->key, key_str, sizeof key_str));
1115 z->state = DNS_ZONE_ITEM_WITHDRAWN;
1116 continue;
1117 }
1118
1119 /* Collect service types for _services._dns-sd._udp.local RRs in a set */
1120 if (!scope->announced &&
1121 dns_resource_key_is_dnssd_ptr(z->rr->key)) {
1122 if (!set_contains(types, dns_resource_key_name(z->rr->key))) {
1123 r = set_ensure_allocated(&types, &dns_name_hash_ops);
1124 if (r < 0)
1125 return log_debug_errno(r, "Failed to allocate set: %m");
1126
1127 r = set_put(types, dns_resource_key_name(z->rr->key));
1128 if (r < 0)
1129 return log_debug_errno(r, "Failed to add item to set: %m");
1130 }
1131 }
1132
1133 LIST_FOREACH(by_key, i, z)
1134 size++;
1135 }
1136
1137 answer = dns_answer_new(size + set_size(types));
1138 if (!answer)
1139 return log_oom();
1140
1141 /* Second iteration, actually add RRs to the answer. */
1142 HASHMAP_FOREACH(z, scope->zone.by_key, iterator)
1143 LIST_FOREACH (by_key, i, z) {
1144 DnsAnswerFlags flags;
1145
1146 if (i->state != DNS_ZONE_ITEM_ESTABLISHED)
1147 continue;
1148
1149 if (dns_resource_key_is_dnssd_ptr(i->rr->key))
1150 flags = goodbye ? DNS_ANSWER_GOODBYE : 0;
1151 else
1152 flags = goodbye ? (DNS_ANSWER_GOODBYE|DNS_ANSWER_CACHE_FLUSH) : DNS_ANSWER_CACHE_FLUSH;
1153
1154 r = dns_answer_add(answer, i->rr, 0 , flags);
1155 if (r < 0)
1156 return log_debug_errno(r, "Failed to add RR to announce: %m");
1157 }
1158
1159 /* Since all the active services are in the zone make them discoverable now. */
1160 SET_FOREACH(service_type, types, iterator) {
1161 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr;
1162
1163 rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_PTR,
1164 "_services._dns-sd._udp.local");
1165 rr->ptr.name = strdup(service_type);
1166 rr->ttl = MDNS_DEFAULT_TTL;
1167
1168 r = dns_zone_put(&scope->zone, scope, rr, false);
1169 if (r < 0)
1170 log_warning_errno(r, "Failed to add DNS-SD PTR record to MDNS zone: %m");
1171
1172 r = dns_answer_add(answer, rr, 0 , 0);
1173 if (r < 0)
1174 return log_debug_errno(r, "Failed to add RR to announce: %m");
1175 }
1176
1177 if (dns_answer_isempty(answer))
1178 return 0;
1179
1180 r = dns_scope_make_reply_packet(scope, 0, DNS_RCODE_SUCCESS, NULL, answer, NULL, false, &p);
1181 if (r < 0)
1182 return log_debug_errno(r, "Failed to build reply packet: %m");
1183
1184 r = dns_scope_emit_udp(scope, -1, p);
1185 if (r < 0)
1186 return log_debug_errno(r, "Failed to send reply packet: %m");
1187
1188 /* In section 8.3 of RFC6762: "The Multicast DNS responder MUST send at least two unsolicited
1189 * responses, one second apart." */
1190 if (!scope->announced) {
1191 usec_t ts;
1192
1193 scope->announced = true;
1194
1195 assert_se(sd_event_now(scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
1196 ts += MDNS_ANNOUNCE_DELAY;
1197
1198 r = sd_event_add_time(
1199 scope->manager->event,
1200 &scope->announce_event_source,
1201 clock_boottime_or_monotonic(),
1202 ts,
1203 MDNS_JITTER_RANGE_USEC,
1204 on_announcement_timeout, scope);
1205 if (r < 0)
1206 return log_debug_errno(r, "Failed to schedule second announcement: %m");
1207
1208 (void) sd_event_source_set_description(scope->announce_event_source, "mdns-announce");
1209 }
1210
1211 return 0;
1212 }
1213
1214 int dns_scope_add_dnssd_services(DnsScope *scope) {
1215 Iterator i;
1216 DnssdService *service;
1217 DnssdTxtData *txt_data;
1218 int r;
1219
1220 assert(scope);
1221
1222 if (hashmap_size(scope->manager->dnssd_services) == 0)
1223 return 0;
1224
1225 scope->announced = false;
1226
1227 HASHMAP_FOREACH(service, scope->manager->dnssd_services, i) {
1228 service->withdrawn = false;
1229
1230 r = dns_zone_put(&scope->zone, scope, service->ptr_rr, false);
1231 if (r < 0)
1232 log_warning_errno(r, "Failed to add PTR record to MDNS zone: %m");
1233
1234 r = dns_zone_put(&scope->zone, scope, service->srv_rr, true);
1235 if (r < 0)
1236 log_warning_errno(r, "Failed to add SRV record to MDNS zone: %m");
1237
1238 LIST_FOREACH(items, txt_data, service->txt_data_items) {
1239 r = dns_zone_put(&scope->zone, scope, txt_data->rr, true);
1240 if (r < 0)
1241 log_warning_errno(r, "Failed to add TXT record to MDNS zone: %m");
1242 }
1243 }
1244
1245 return 0;
1246 }
1247
1248 int dns_scope_remove_dnssd_services(DnsScope *scope) {
1249 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
1250 Iterator i;
1251 DnssdService *service;
1252 DnssdTxtData *txt_data;
1253 int r;
1254
1255 assert(scope);
1256
1257 key = dns_resource_key_new(DNS_CLASS_IN, DNS_TYPE_PTR,
1258 "_services._dns-sd._udp.local");
1259 if (!key)
1260 return log_oom();
1261
1262 r = dns_zone_remove_rrs_by_key(&scope->zone, key);
1263 if (r < 0)
1264 return r;
1265
1266 HASHMAP_FOREACH(service, scope->manager->dnssd_services, i) {
1267 dns_zone_remove_rr(&scope->zone, service->ptr_rr);
1268 dns_zone_remove_rr(&scope->zone, service->srv_rr);
1269 LIST_FOREACH(items, txt_data, service->txt_data_items)
1270 dns_zone_remove_rr(&scope->zone, txt_data->rr);
1271 }
1272
1273 return 0;
1274 }
Unnamed repository; edit this file 'description' to name the repository.